Received: from mx1.mailbun.net (unknown [170.39.20.100]) by nld3-dev1.alpinelinux.org (Postfix) with ESMTPS id 427CF782B2D for <~alpine/devel@lists.alpinelinux.org>; Wed, 28 Apr 2021 22:37:51 +0000 (UTC) Received: from 192.168.8.162 (unknown [107.125.25.50]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: ariadne@dereferenced.org) by mx1.mailbun.net (Postfix) with ESMTPSA id 81526145913; Wed, 28 Apr 2021 22:37:47 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=dereferenced.org; s=mailbun; t=1619649468; bh=RIrcEsrr7kgZRyRXy3Yp9Xl4ChIzXvNXVak+edh3jWg=; h=Date:From:To:cc:Subject:In-Reply-To:References; b=bKxQhxKFIoq/biP1mGj2TdZKOA7piF+P6P5iClucMtuyOQJRrQOs74po7RKfxpgJq F9Z2anIylV5MaHMeM9D6S3RwQNiWLBBDRFOiJcIAqDLOxGJcjbibhAc3tNCTSXLyi8 JFQGmY3kjYNz+9d4X3h7pXEdTtF5fV8KxZ47x9QHvqR0jybBvnrtHjMy6sNXegkG7r 0X8WmV3JuoyXZ83HO/0grJMppgvVIOugnA54WEWf8O4QzwY4XH1pLvmNlN6PBgI9AY EN7S4Oq052Pq1vOvc2XuXGYQkzwcPjNnw+jUW5pBXLRsDgTSbw/kXoJ9D9i4lxHB+o 4RfwdjQqc3hFA== Date: Wed, 28 Apr 2021 16:37:47 -0600 (MDT) From: Ariadne Conill To: Nir Ben-Eliezer cc: Ariadne Conill , "~alpine/devel@lists.alpinelinux.org" <~alpine/devel@lists.alpinelinux.org> Subject: RE: Security dispute over nodejs vulnerability in Alpine - Help! In-Reply-To: Message-ID: References: <617756a6-b38c-aa47-86bd-269661b85522@dereferenced.org> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII; format=flowed Hello, On Wed, 28 Apr 2021, Nir Ben-Eliezer wrote: > Hi Ariadne, and thank you very much for your quick response. > > I am asking this on behalf of one of our customers. I've used three different scanners, all yield the same result, identifying nodejs v12.20.1 as vulnerable in Alpine 3.13, and recommending to upgrade it to v14.15.4-r0, where it is fixed. > > The reason why the scanners behave this way is due to the information listed on this page:https://git.alpinelinux.org/aports/blame/main/nodejs/APKBUILD?h=3.13-stable. If you scroll down to rows 18-19, you'll see this: > +# 14.15.4-r0: > +# - CVE-2020-8265 > +# - CVE-2020-8287 > > Indicating that CVE-2020-8265 is fixed in nodejs 14.15.4-r0 on Alpine's 3.13 branch. I did not find any place indicating that nodejs v12.20.1 also contains the fix in Alpine branch 3.13. It appears that your scanners are probably using our security databases incorrectly, or at least making the wrong assumptions about how the version lifecycle works in secfixes land. To explain: we publish security databases for every branch of Alpine, these can be fetched at https://secdb.alpinelinux.org/. These databases are compiled from the perspective of each branch. Or in other words, they only describe versions that are published in that branch. Incidentally, one or more security companies are presently scraping our cgit instance for this information. It may be that you have stale information about the v3.13 branch if your security scanners were doing this, as we have recently taken action to stop abuse of our cgit instance for this purpose. In that case, see the above note about secdb.alpinelinux.org and you will have more reliable data. Anyway, Alpine 3.13 does not credit v12.20.1 with the fix for CVE-2020-8265 because that version was never published in Alpine 3.13, only Alpine 3.12. Each security database publishes information based on what packages have been published in that branch. You may also wish to look at our security database viewer at https://security.alpinelinux.org/vuln/CVE-2020-8265, which shows both Alpine 3.12 and 3.13 having fixes in their respective versions of Node. You can query that as a webservice, by sending the `Accept: application/ld+json` header, in which case you will be presented with parts of a JSON-LD graph containing the relevant data. Please be kind when querying that webservice though. The software powering it is public, and you should run your own instance of it if you decide to make bulk queries. Ariadne